logo of Akmatori
GitHub
03.02.2026

Hans: Tunneling IPv4 Over ICMP When Nothing Else Works

Hans IP over ICMP Tunnel

You're on a network. SSH is blocked. HTTPS is blocked. Even DNS is locked down. But somehow, ping works. Sound familiar? This is where ICMP tunneling saves the day, and Hans is one of the most reliable tools for the job.

What Is Hans?

Hans is a utility that tunnels IPv4 traffic through ICMP echo request and reply packets—essentially hiding your network traffic inside pings. It creates a virtual network interface (tun device) and routes packets through ICMP, bypassing firewalls that only filter TCP and UDP.

Key features:

  • Reliability: Works even when firewalls allow only one echo reply per request
  • Authentication: Challenge-response login mechanism
  • Multi-client: Supports up to 253 simultaneous clients
  • Cross-platform: Server runs on Linux; clients work on Linux, macOS, Windows, FreeBSD, and OpenBSD

When Would You Need This?

ICMP tunneling is useful in several scenarios:

  1. Captive portals: Hotel or airport WiFi that requires payment but allows pings
  2. Restrictive corporate networks: When only ICMP is allowed outbound
  3. Network testing: Verifying firewall rules and egress filtering
  4. Emergency access: Getting connectivity when everything else fails

⚠️ Legal notice: Only use this on networks you own or have explicit permission to test. Unauthorized network tunneling may violate policies or laws.

How It Works

Hans encapsulates IP packets inside ICMP echo requests (type 8) and echo replies (type 0). The client sends requests to the server, which responds with replies containing the tunneled data.

┌─────────────┐        ICMP Echo         ┌─────────────┐
│   Client    │ ───────────────────────▶ │   Server    │
│  (behind    │        Request           │ (public IP) │
│  firewall)  │ ◀─────────────────────── │             │
│             │        ICMP Echo         │             │
└─────────────┘         Reply            └─────────────┘
        │                                       │
        ▼                                       ▼
   tun0: 10.1.2.2                         tun0: 10.1.2.1

The firewall sees normal ping traffic. It doesn't inspect the payload, so your tunneled packets pass through undetected.

Installation

From Source (Linux/macOS)

git clone https://github.com/friedrich/hans.git
cd hans
make

Pre-built Binaries

Download from SourceForge:

Prerequisites

Linux: Enable the tun module:

sudo modprobe tun

macOS: Install tun/tap drivers from tuntaposx

Windows: Install TAP driver via OpenVPN installer (select "TAP Virtual Ethernet Adapter")

Running Hans

Server Setup (Linux Only)

The server must run on a machine with a public IP address:

# Disable kernel ICMP responses (Hans handles them)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Start Hans server
sudo ./hans -s 10.1.2.0 -p your_secure_password

# Enable IP forwarding and NAT for internet access
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE

Client Connection

# Connect to the server
sudo ./hans -c server_public_ip -p your_secure_password

# Verify the tunnel
ip addr show tun0
ping 10.1.2.1

Once connected, route your traffic through the tunnel:

# Route all traffic through the tunnel
ip route add default via 10.1.2.1 dev tun0

# Or just specific destinations
ip route add 192.168.100.0/24 via 10.1.2.1 dev tun0

Troubleshooting Tips

If you're experiencing issues, run Hans in debug mode:

sudo ./hans -c server_ip -p password -fv

Common adjustments:

Flag Purpose
-r Respond to regular pings (helps detection evasion)
-w N Set polling window (lower = more reliable, slower)
-q Change sequence number with each packet
-i Change echo ID with each packet
-u user Drop privileges after starting

Firewall Considerations

Some firewalls perform stateful ICMP inspection. If Hans doesn't work:

  1. Try reducing the poll window: ./hans -c server -p pass -w 1
  2. Enable sequence number randomization: ./hans -c server -p pass -q
  3. As a last resort, randomize echo IDs: ./hans -c server -p pass -i

Performance Expectations

ICMP tunneling is not fast. Expect:

  • Latency: Higher than normal (packets wrapped in ICMP)
  • Throughput: 50-500 Kbps typically
  • Reliability: Depends on firewall behavior

It's designed for emergency access, not streaming video.

Alternatives to Consider

Tool Protocol Notes
iodine DNS Tunnels through DNS queries
ptunnel-ng ICMP Fork of original ptunnel
icmptx ICMP Hans was inspired by this

Security Implications

As a defender, ICMP tunneling is something to watch for:

  1. Monitor ICMP traffic volume: Unusual amounts of echo traffic may indicate tunneling
  2. Inspect ICMP payloads: Standard pings have predictable patterns; tunneled data doesn't
  3. Rate-limit ICMP: Restrict echo requests to reasonable levels
  4. Consider blocking: If ICMP isn't operationally needed, block it

FAQ

Can I run the Hans server on macOS or Windows?

No. The server only works on Linux due to kernel-level ICMP handling requirements. Clients work on all platforms.

Is ICMP tunneling detectable?

Yes, with deep packet inspection. Standard ICMP echo payloads are predictable; Hans traffic is not. However, many firewalls don't inspect ICMP payloads.

How many clients can connect?

Up to 253 clients, each receiving an IP from the 10.x.x.0/24 subnet (reserving .0 for network and .1 for server).

Will this work through NAT?

Yes, Hans handles NAT traversal well since ICMP echo request/reply pairs are typically tracked by NAT devices.

Need to automate network diagnostics or monitor connectivity issues? Akmatori helps SRE teams build AI-powered runbooks that can detect and respond to network anomalies automatically.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free